I had a very interesting discussion recently with a colleague from a very large company. He told me that C-level executives, especially CEOs, are tired of hearing about risk. "Risk," he said, "is an overused buzzword and they don't want to hear about it." This man is a security professional of long experience and is highly placed within his global 100 company.
I find this very disturbing. Managing the risks that impact an organization is a key element in keeping the organization viable. My colleague tells me, however, that the only things these corporate leaders want to hear about are improvements to the bottom line. Doesn't proper risk management improve the bottom line by reducing loss and the costs associated with loss?
Information is the corporate currency of the 21st century, and it would follow that managing risk to that information would, indeed, improve the bottom line. If C-level folks are tired of hearing about risk, we need to change our tune.
First, we need to stop talking about risk as if it was the only thing anyone needs to think about. Unless we are selling risk management tools or services, there are certainly other issues that corporate magnates need to think about.
Second, we in the information security world need to reshape our thinking. Virtually everything we do in today's information environment is about managing risk. We used to be information security professionals. Now, we are information risk management professionals. But we should really keep that a secret, just between us – the secret handshake of our order, so to speak.
Finally, we need to present the issue of information risk in a spiffy new light. As it happens, I had chat with a another colleague recently, a scientist and mathematician of significance. He takes the position that the issue is really quite simple. Risk is always balanced by gain. Risk goes up, gain goes down, and vice versa. Here's something C-levels can understand: manage risk and you make money. Fail and it costs you – sometimes a lot of money. We'll focus on the gain part of the equation, of course. The glass always is half full.
There are a lot of recent examples of corporate giants that didn't manage risk, usually to their detriment. I'll bet Martha Stewart could tell us a thing or two about investment risk gain.
Then there's Arthur Anderson and Enron. But that's for another column.